actions/warden
4
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

add secrets #1

Merged
jamie merged 30 commits from feature/add-secrets into main 2025-02-27 14:16:41 +00:00
Conversation 1 Commits 30 Files Changed 1 +25 -153
5 changed files with 25 additions and 153 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 9880149e9f - Show all commits

1
.gitignore vendored
View File

@ -1 +0,0 @@
/node_modules

47
action.yml
View File

@ -33,32 +33,33 @@ runs:
- name: Unlock Vault - name: Unlock Vault
shell: sh shell: sh
run: | run: |
# Ensure Bitwarden is logged in
if ! bw login --check; then
bw login --apikey bw login --apikey
fi echo "BW_SESSION=$(bw unlock '${{ inputs.password }}' --raw)" >> $GITHUB_ENV
# Unlock the vault and store the session key
BW_SESSION=$(bw unlock "${{ inputs.password }}" --raw)
# Verify if BW_SESSION is set correctly
if [ -n "$BW_SESSION" ]; then
echo "BW_SESSION=$BW_SESSION" >> "$GITHUB_ENV"
export BW_SESSION
echo "✅ Vault unlocked successfully!"
else
echo "❌ Failed to unlock Bitwarden vault"
exit 1
fi
env: env:
BW_CLIENTID: ${{ inputs.client-id }} BW_CLIENTID: ${{ inputs.client-id }}
BW_CLIENTSECRET: ${{ inputs.client-secret }} BW_CLIENTSECRET: ${{ inputs.client-secret }}
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Retrieve Requested Secrets - name: Retrieve Requested Secrets
shell: sh shell: bash
run: node retrieveSecrets.js run: |
IFS=$'\n' read -d '' -r -a secret_pairs <<< "${{ inputs.secrets }}"
for pair in "${secret_pairs[@]}"; do
SECRET_ID=$(echo "$pair" | cut -d'>' -f1 | xargs)
ENV_VAR=$(echo "$pair" | cut -d'>' -f2 | xargs)
if [[ -z "$SECRET_ID" || -z "$ENV_VAR" ]]; then
echo "❌ Invalid secret pair format: $pair"
continue
fi
echo "🔍 Retrieving secret: $SECRET_ID..."
SECRET_VALUE=$(bw get notes "$SECRET_ID" --session "$BW_SESSION" 2>/dev/null)
if [[ -n "$SECRET_VALUE" ]]; then
echo "$ENV_VAR=$SECRET_VALUE" >> "$GITHUB_ENV"
echo "✅ Stored $SECRET_ID in $ENV_VAR"
else
echo "❌ Failed to retrieve secret: $SECRET_ID"
fi
done

70
package-lock.json generated
View File

@ -1,70 +0,0 @@
{
"name": "warden",
"lockfileVersion": 3,
"requires": true,
"packages": {
"": {
"dependencies": {
"@actions/core": "^1.11.1"
}
},
"node_modules/@actions/core": {
"version": "1.11.1",
"resolved": "https://registry.npmjs.org/@actions/core/-/core-1.11.1.tgz",
"integrity": "sha512-hXJCSrkwfA46Vd9Z3q4cpEpHB1rL5NG04+/rbqW9d3+CSvtB1tYe8UTpAlixa1vj0m/ULglfEK2UKxMGxCxv5A==",
"dependencies": {
"@actions/exec": "^1.1.1",
"@actions/http-client": "^2.0.1"
}
},
"node_modules/@actions/exec": {
"version": "1.1.1",
"resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.1.tgz",
"integrity": "sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w==",
"dependencies": {
"@actions/io": "^1.0.1"
}
},
"node_modules/@actions/http-client": {
"version": "2.2.3",
"resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.3.tgz",
"integrity": "sha512-mx8hyJi/hjFvbPokCg4uRd4ZX78t+YyRPtnKWwIl+RzNaVuFpQHfmlGVfsKEJN8LwTCvL+DfVgAM04XaHkm6bA==",
"dependencies": {
"tunnel": "^0.0.6",
"undici": "^5.25.4"
}
},
"node_modules/@actions/io": {
"version": "1.1.3",
"resolved": "https://registry.npmjs.org/@actions/io/-/io-1.1.3.tgz",
"integrity": "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q=="
},
"node_modules/@fastify/busboy": {
"version": "2.1.1",
"resolved": "https://registry.npmjs.org/@fastify/busboy/-/busboy-2.1.1.tgz",
"integrity": "sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA==",
"engines": {
"node": ">=14"
}
},
"node_modules/tunnel": {
"version": "0.0.6",
"resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz",
"integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==",
"engines": {
"node": ">=0.6.11 <=0.7.0 || >=0.7.3"
}
},
"node_modules/undici": {
"version": "5.28.5",
"resolved": "https://registry.npmjs.org/undici/-/undici-5.28.5.tgz",
"integrity": "sha512-zICwjrDrcrUE0pyyJc1I2QzBkLM8FINsgOrt6WjA+BgajVq9Nxu2PbFFXUrAggLfDXlZGZBVZYw7WNV5KiBiBA==",
"dependencies": {
"@fastify/busboy": "^2.0.0"
},
"engines": {
"node": ">=14.0"
}
}
}
}

5
package.json
View File

@ -1,5 +0,0 @@
{
"dependencies": {
"@actions/core": "^1.11.1"
}
}

53
retrieveSecrets.js
View File

@ -1,53 +0,0 @@
import * as core from "@actions/core";
import { execSync } from "child_process";
function getSecrets() {
try {
const secretsRaw = core.getInput("secrets", { required: true });
const sessionKey = process.env.BW_SESSION;
if (!sessionKey) {
throw new Error("BW_SESSION is not set. Make sure Bitwarden is unlocked.");
}
// Secrets parsen naar een array van { id, name }
const secrets = secretsRaw
.split("\n")
.map((s) => s.trim())
.filter((s) => s.includes(">"))
.map((s) => {
const [id, name] = s.split(">").map((part) => part.trim());
return { id, name };
});
if (secrets.length === 0) {
throw new Error("No valid secrets provided.");
}
core.info(`🔍 Retrieving ${secrets.length} secrets from Bitwarden...`);
secrets.forEach(({ id, name }) => {
try {
const value = execSync(`bw get notes ${id} --session ${sessionKey}`, {
encoding: "utf-8",
}).trim();
if (value) {
core.exportVariable(name, value);
core.setSecret(value); // Verberg secret in logs
core.info(`✅ Stored secret ${id} as ${name}`);
} else {
core.warning(`⚠️ No value found for secret: ${id}`);
}
} catch (error) {
core.warning(`❌ Failed to retrieve secret: ${id} - ${error.message}`);
}
});
core.info("✅ All secrets retrieved successfully!");
} catch (error) {
core.setFailed(`❌ Error retrieving secrets: ${error.message}`);
}
}
getSecrets();